1) Introduction and contact details of the person responsible

1.1 We are pleased that you are visiting our website and thank you for your interest. Below we will inform you about how we handle your personal data when you use our website. Personal data is all data that can be used to identify you personally.

1.2 The data controller for this website within the meaning of the General Data Protection Regulation (GDPR) is MÜNCHNER GLÜCKSKINDL GmbH, Kapuzinerplatz 4, 80337 Munich, Germany, Tel.: +49 89 45225780, Email: t.pflaume@muenchner-glueckskindl.de. The data controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

1.3 The data controller has appointed a data protection officer, who can be contacted as follows: “Thomas Pflaume, Kapuzinerplatz 4, 80337 Munich, 089-45225780, service@muenchner-glueckskindl.de”

2) Data collection when visiting our website

2.1 If you only use our website for informational purposes, i.e. if you do not register or otherwise provide us with information, we only collect data that your browser transmits to the site server (so-called "server log files"). When you visit our website, we collect the following data that is technically necessary for us to display the website to you:

• The website visited
• Date and time of accessing the website
• Volume of data transmitted in bytes
• Source/reference from where you accessed the website
• Browser used
• Operating system used.
• IP address used (anonymous if applicable)

The data is processed in accordance with Article 6(1)(f) GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. The data is not disseminated or used in any other way. However, we reserve the right to check the server logfiles retrospectively if there is concrete evidence of unlawful use.

2.2  For security reasons and to protect the transmission of personal data and other confidential information (e.g. orders or enquiries to the data controller), this website uses SSL and TSL encryption. An encrypted connection can be identified by the character sequence “https://” and the lock symbol in your browser title.

3) Hosting & Content Delivery Network

To host our website and display the page content, we use a provider who provides its services itself or through selected subcontractors exclusively on servers within the European Union.

All data collected on our website is processed on these servers.

We have concluded an order processing contract with the provider, which ensures the protection of the data of our site visitors and prohibits unauthorized disclosure to third parties.

4) Cookies

In order to make visiting our website attractive and to enable the use of certain functions, we use cookies, i.e. small text files that are stored on your device. Some of these cookies are automatically deleted when the browser is closed (so-called "session cookies"), some of these cookies remain longer on your device and allow you to save page settings (so-called "persistent cookies"). In the latter case, you can see the storage duration in the overview of the cookie settings in your web browser.

If personal data is also processed by individual cookies we use, the processing takes place in accordance with Art. 6 Paragraph 1 lit. b GDPR either for the execution of the contract, in accordance with Art. 6 Paragraph 1 lit. According to Art. 6 Para. 1 lit.f GDPR to safeguard our legitimate interests in the best possible functionality of the website and a customer-friendly and effective design of the page visit.

You can set your browser so that you are informed about the setting of cookies and individually decide whether to accept them or to exclude the acceptance of cookies for certain cases or in general.

Please note that the functionality of our website may be restricted if you reject cookies.

5) Contacting us

When contacting us (e.g. via contact form or email), personal data is processed – exclusively for the purpose of processing and answering your request and only to the extent required for this.

The legal basis for the processing of this data is our legitimate interest in answering your request in accordance with Article 6 (1) (f) GDPR. If your contact is aimed at a contract, the additional legal basis for processing is Art. 6 (1) (b) GDPR. Your data will be deleted if it can be inferred from the circumstances that the facts in question have been finally clarified and provided that there are no legal storage obligations to the contrary.

6) Data processing for order processing

6.1 Insofar as it is necessary for the execution of the contract for delivery and payment purposes, the personal data collected by us will be passed on to the commissioned transport company and the commissioned credit institution in accordance with Article 6 (1) (b) GDPR.

If we owe you updates for goods with digital elements or for digital products based on a corresponding contract, we will process the contact information you provided when placing your order in order to inform you personally within the scope of our statutory information obligations pursuant to Art. 6 (1) (c) GDPR. Your contact information will be used strictly for the purpose of notifying you of updates owed by us and will only be processed by us to the extent necessary for the respective information.

In order to process your order, we also work together with the following service provider (s) who support us in whole or in part in the execution of concluded contracts. Certain personal data is transmitted to these service providers in accordance with the following information.

6.2 Forwarding of personal data to shipping service providers

- DHL

As a transport service provider, we use the following provider: DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany

We will pass on your e-mail address and/or telephone number to the provider in accordance with Article 6 (1) (a) GDPR before the goods are delivered for the purpose of coordinating a delivery date or for delivery notification, provided that you have given your express consent to do so during the ordering process have given consent. Otherwise, we will only pass on the name of the recipient and the delivery address to the provider for the purpose of delivery in accordance with Article 6 (1) (b) GDPR. The data will only be passed on if this is necessary for the delivery of the goods. In this case, prior coordination of the delivery date with the provider or the delivery notification is not possible.

The consent can be revoked at any time with effect for the future to the above-mentioned person responsible or to the provider.

6.3 Use of payment service providers (payment services)

- Paypal

One or more online payment methods from the following provider are available on this website: PayPal (Europe) Sarl et Cie, SCA, 22-24 Boulevard Royal, L-2449 Luxembourg

If you select a payment method from the provider where you pay in advance, the payment details you provided during the ordering process (including name, address, bank and payment card information, currency and transaction number) as well as information about the content of your order in accordance with Art. 6 Paragraph 1 lit. b GDPR passed on. In this case, your data will only be passed on for the purpose of payment processing with the provider and only to the extent that it is necessary for this.

If you select a payment method for which we pay in advance, you will also be asked to provide certain personal data (first and last name, street, house number, postal code, city, date of birth, e-mail address, telephone number, data if applicable) during the ordering process an alternative means of payment).

In order to safeguard our legitimate interest in determining your solvency in such cases, we will forward this data to the provider for the purpose of a credit check in accordance with Article 6 (1) (f) GDPR. Based on the personal data you provide and other data (e.g. shopping cart, invoice amount, order history, payment history), the provider checks whether the payment option you have selected can be granted with regard to payment and/or bad debt risks.

The credit report can contain probability values ​​(so-called score values). As far as score values ​​are included in the result of the credit report, they are based on a scientifically recognized mathematical-statistical procedure. The calculation of the score values ​​includes, but is not limited to, address data.

You can object to this processing of your data at any time by sending a message to us or to the provider. However, the provider may still be entitled to process your personal data if this is necessary for contractual payment processing.

6.4 Sanctions list comparison

When initiating business relationships and processing orders, we reserve the right to compare the personal data you provide to us with data from sanctions lists of the European Union and/or its individual member states and to decide on the establishment of the business relationship or the execution of the order based on the results of this comparison.

This data processing is carried out in accordance with Art. 6 (1) (c) GDPR due to our legal obligation to check and ensure that we do not enter into business relationships with sanctioned natural or legal persons and thus prevent the provision of resources to such persons.

7) web analytics services

7.1 Matomo

This website uses a web analysis service from the following provider: InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, (“Matomo”)

The service collects and stores pseudonymized visitor data, including information about the device used, such as the IP address and browser information. Pseudonymized user profiles can be created and analyzed from this data for the same purpose. Cookies may be used for this. Cookies are small text files that are stored locally in the cache of the website visitor's internet browser. Among other things, cookies enable the recognition of the internet browser.

The pseudonymised information generated by the cookie is not used to personally identify the visitor to this website and is not merged with personal data about the bearer of the pseudonym.
If data is also transferred to the provider's server and the web analysis service has not been installed locally on our server, we have concluded an order processing agreement with the provider, which ensures the protection of our site visitors' data and prohibits unauthorized disclosure to third parties.

All of the processing described above, in particular the setting of cookies for reading information on the end device used, will only be carried out if you have given us your express consent in accordance with Article 6 (1) (a) GDPR. Without this consent, Matomo will not be used during your visit to the site.

You can revoke your consent at any time with effect for the future. To exercise your revocation, please deactivate this service in the "Cookie Consent Tool" provided on the website.

Data is only transferred to the provider if the service is not hosted on our servers. In the case of self-hosting, data collected via the service is not transferred to the provider.

If the service is not hosted on our own servers, we have entered into a data processing agreement with the provider, which ensures the protection of our site visitors' data and prohibits unauthorized disclosure to third parties.

In this case, an adequacy decision of the EU Commission applies to data transfers to New Zealand, which attests to compliance with European data protection standards for international data transfers.

7.2 Matomo

This website uses a web analysis service from the following provider: InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, (“Matomo”)

To protect site visitors, Matomo uses a so-called "config_id" to enable various analyses of site usage within a short time window of up to 24 hours. The "config_id" is a randomly generated, time-limited hash of a limited set of visitor settings and attributes. The config_id, or config hash, is a character string calculated for a visitor based on their operating system, browser, browser plug-ins, IP address, and browser language. Matomo does not use device fingerprinting and uses an anonymized IP address of the site visitor to create the "config_id."

If the information processed in this way includes personal user data, the processing takes place in accordance with Article 6 (1) (f) GDPR on the basis of our legitimate interest in the statistical analysis of user behavior for optimization and marketing purposes. In order to object to data processing of your visitor data in the future, we provide you with a separate option to object on our website.

Data is only transferred to the provider if the service is not hosted on our servers. In the case of self-hosting, data collected via the service is not transferred to the provider.

If the service is not hosted on our own servers, we have entered into a data processing agreement with the provider, which ensures the protection of our site visitors' data and prohibits unauthorized disclosure to third parties.

In this case, an adequacy decision of the EU Commission applies to data transfers to New Zealand, which attests to compliance with European data protection standards for international data transfers.

8) Tools and miscellaneous

Cookie Consent Tool

This website uses a so-called “cookie consent tool” to obtain effective user consent for cookies and cookie-based applications that require consent. The “cookie consent tool” is displayed to users when they access the page in the form of an interactive user interface on which consent can be given for certain cookies and/or cookie-based applications by checking a box. By using the tool, all cookies/services requiring consent are only loaded if the respective user gives their consent by checking the box. This ensures that such cookies are only set on the user's device if consent has been given.

The tool sets technically necessary cookies in order to save your cookie preferences. Personal user data are generally not processed here.

If, in individual cases, personal data (such as the IP address) is processed for the purpose of storing, assigning or logging cookie settings, this is done in accordance with Art. 6 Para. 1 lit.f GDPR on the basis of our legitimate interest in a Legally compliant, user-specific and user-friendly consent management for cookies and therefore a legally compliant design of our website.

Another legal basis for processing is Article 6 (1) (c) GDPR. As the person responsible, we are subject to the legal obligation to make the use of technically unnecessary cookies dependent on the respective user consent.

If necessary, we have concluded an order processing contract with the provider, which ensures the protection of the data of our site visitors and prohibits unauthorized disclosure to third parties.

Further information on the operator and the setting options for the cookie consent tool can be found directly in the corresponding user interface on our website.

9) Rights of the data subject

9.1 The applicable data protection law grants you the following rights of data subjects (information and intervention rights) vis-à-vis the person responsible with regard to the processing of your personal data, whereby reference is made to the stated legal basis for the respective exercise requirements:

• Right to information in accordance with Art. 15 GDPR;
• Right to rectification in accordance with Art. 16 GDPR;
• Right to deletion in accordance with Art. 17 GDPR;
• Right to restriction of processing in accordance with Art. 18 GDPR;
• Right to information in accordance with Art. 19 GDPR;
• Right to data portability in accordance with Art. 20 GDPR;
• Right to revoke consent given in accordance with Art. 7 Para. 3 GDPR;
• Right to lodge a complaint in accordance with Art. 77 GDPR.

9.2 RIGHT TO OBJECT

IF WE PROCESS YOUR PERSONAL DATA WITHIN A BALANCING OF INTERESTS AND BASED ON OUR OVERRIDING LEGITIAMTE INTEREST, YOU HAVE THE RIGHT TO OBJECT TO THIS PROCESSING AT ANY TIME WITH FUTURE EFFECT FOR REASONS EMANATING FROM YOUR SPECIFIC SITUATION.

IF YOU MAKE USE OF YOUR RIGHT TO OBJECT WE WILL TERMINATE PROCESSING THE RELEVANT DATA. WE RESERVE THE RIGHT TO FURTHER PROCESSING IF WE CAN PROVE COMPELLING PRIVILEGED REASONS FOR PROCESSING THAT OVERRIDE YOUR INTERESTS, FUNDAMENTAL RIGHTS AND FREEDOMS, OR IF THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE, OR DEFENCE OF LEGAL CLAIMS.

IF YOUR PERSONAL DATA ARE PROCESSED BY US FOR DIRECT ADVERTISING, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA FOR SUCH ADVERTISING PURPOSES AT ANY TIME. YOU CAN EXERCISE YOUR OBJECTION AS DESCRIBED ABOVE.

IF YOU MAKE USE OF YOUR RIGHT TO OBJECT WE WILL TERMINATE PROCESSING THE RELEVANT DATA FOR DIRECT ADVERTISING PURPOSES.

10) Storage period of personal data

The storage duration of personal data is determined by the respective legal framework, the processing purpose, and - where appropriate - additionally by the respective legal retention period (e.g. retention periods pertaining to commercial or tax legislation).

When processing personal data on the basis of an express consent in accordance with Article 6 Paragraph 1 lit. a GDPR, the data concerned will be stored until you revoke your consent.

If legal retention periods exist for data that have been processed within transactional or transactional-similar obligations on the basis on Article 6(1)(b) GDPR, these data will be routinely erased after expiry of the retention period provided they are no longer required for the fulfilment or initiation of a contract and/or no legitimate interest on continued storage continues from our side.

When processing personal data on the basis of Article 6 Paragraph 1 Letter f GDPR, this data will be stored until you exercise your right of objection in accordance with Article 21 Paragraph 1 GDPR, unless we can provide compelling reasons worthy of protection prove the processing that outweighs your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

When processing personal data for the purpose of direct advertising on the basis of Article 6 (1) (f) GDPR, this data will be stored until you exercise your right of objection under Article 21 (2) GDPR.

If any other information of this declaration about specific processing situations does not result in any other outcomes, stored personal data will be erased when they are no longer required for the purposes for which they were collected or processed in any other way.